Team Clark is adamant that we will never write content influenced by or paid for by an advertiser. To support our work, we do make money from some links to companies and deals on our site. Learn more about our guarantee here.

Advertisement

If you have a Gmail account, you need to be aware of a scary scam that continues to trick people into handing over their login credentials.

Beware of Gmail scam that will steal your info

According to tech security site WordFence, the message comes from the email account of someone you know — someone whose account has already been compromised.

The email contains image attachments that appear to be PDF files, and when you click on the attachment, a new tab opens and prompts you to log into your Gmail account again.

The new tab then shows ‘account.google.com’ and appears to be a fully functioning and safe Google page — when in fact, it’s a fake scam site set up by hackers.

According to WordFence:

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list. For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

Once the hackers have access to your account, they can download your emails and access any other information stored in the account.

According to TechTimes, ‘The trick to identify the bug lies in careful scrutinization of the address bar. The bug hides in plain sight but doesn’t get detected, as most users think that the webpage is Google’s protected login page after seeing ‘accounts.google.com’ in the address bar.’

‘The hackers use a phishing method known as URI or data uniform resource identifier. The URI method is used to attach a data file in the location bar in front of ‘https://accounts.google.com.&#8217; The data file ‘data:text/html’ is attached in front of the host name, which opens up the fake login page.’

How to protect yourself from the Gmail scam

Users should make sure that there is nothing in front of the host file name, and should verify the protocol and the host name.

Also enabling the two-step authentication available for Gmail can stop the attack from taking place as the hacker would need the OTP (One Time Password) required for completing the login.

If you think you may have already fallen victim to the scam, change your Gmail password immediately. Then go to your account activity page and end any current sessions that you don’t recognize.

More tips to avoid common phishing scams

Phishing is a way for criminals to carry out identity theft by using fake websites, emails and robocalls to try and steal your personal information — including passwords, banking info, Social Security number and other sensitive data.

If you receive an email claiming to be from your bank or other company that has your personal information, don’t click on any of the links. It could be a scam. Instead, log in to your account separately in a new window to check for any new notices. You can also call the company directly to ask about the information sent via email.

Don’t click on any links in an email you weren’t expecting. Do a search about whatever the sender claims to want or be offering you to make sure it’s legitimate. If you aren’t sure, do a search for the company and then call them directly.

Beware of pop-ups that look legit but will steal your info!

Alex is the Managing Editor of Clark.com and host of Common Cents, a series that makes money simple. By breaking down complicated concepts, Alex shows you how to better understand your money and make smarter decisions — so you can take control of your own life and future! Learn more here.